Hello,
I am proposing we switch upstreams for two packages in the system
repository to Debian due to our current upstreams having dried up.
Please leave your comments on this list or on the individual merge
requests.
Thanks,
Max Rees
===== system/unzip =====
The last release from Info-ZIP was 6.0 on 20 April 2009. Since that
time, the following nine CVEs have been issued and no upstream fixes
have been released:
CVE-2014-8139: Heap-based buffer overflow in the CRC32 verification
in
Info-ZIP UnZip 6.0 and earlier allows remote attackers to execute
arbitrary code via a crafted zip file in the -t command argument to the
unzip command.
CVE-2014-8140: Heap-based buffer overflow in the test_compr_eb
function
in Info-ZIP UnZip 6.0 and earlier allows remote attackers to execute
arbitrary code via a crafted zip file in the -t command argument to the
unzip command.
CVE-2014-8141: Heap-based buffer overflow in the getZip64Data
function
in Info-ZIP UnZip 6.0 and earlier allows remote attackers to execute
arbitrary code via a crafted zip file in the -t command argument to the
unzip command.
CVE-2014-9636: unzip 6.0 allows remote attackers to cause a denial
of
service (out-of-bounds read or write and crash) via an extra field with
an uncompressed size smaller than the compressed field size in a zip
archive that advertises STORED method compression.
CVE-2014-9913: Buffer overflow in the list_files function in list.c
in
Info-Zip UnZip 6.0 allows remote attackers to cause a denial of service
(crash) via vectors related to the compression method.
CVE-2016-9844: Buffer overflow in the zi_short function in zipinfo.c
in
Info-Zip UnZip 6.0 allows remote attackers to cause a denial of service
(crash) via a large compression method value in the central directory
file header.
CVE-2018-18384: Info-ZIP UnZip 6.0 has a buffer overflow in list.c,
when
a ZIP archive has a crafted relationship between the compressed-size
value and the uncompressed-size value, because a buffer size is 10 and
is supposed to be 12.
CVE-2018-1000035: A heap-based buffer overflow exists in Info-Zip
UnZip
version <= 6.00 in the processing of password-protected archives that
allows an attacker to perform a denial of service or to possibly achieve
code execution.
CVE-2019-13232: Info-ZIP UnZip 6.0 mishandles the overlapping of
files
inside a ZIP container, leading to denial of service (resource
consumption), aka a "better zip bomb" issue.
Merge request URL:
https://code.foxkit.us/adelie/packages/merge_requests/413
===== system/nvi =====
The last release from repo.or.cz was 1.81.6 on 18 November 2007. The
following CVE appears to have never been addressed (except by individual
distros):
CVE-2001-1562: Format string vulnerability in nvi allows local users
to
gain privileges via format string specifiers in a filename.
(this one is relatively minor, despite the scary description, since as
far as I know the format string is only used in a status message and not
for the final save location of the file)
Additionally, Debian also patched a few other bugs that our nvi
currently exhibits, such as:
* nvi issues a warning on startup due to an incompatibility with
system/db~4:
BDB0635 DB_CREATE must be specified to create databases.
* nvi segfaults if a trailing tab is pushed to a new line by inserting
characters before it if 'set number' is in effect
Merge request URL:
https://code.foxkit.us/adelie/packages/merge_requests/414